Chesapeake Regional Healthcare discovered on February 6, 2018 that two hard drives from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia were missing. The hard drives contained the protected health information (PHI) of about 2,100 patients who participated in studies at the Sleep Center from April 2015 to February 2018.

There’s no clear report yet on what happened to the hard drives. It is still unknown how and when the hard drives got lost. An investigation team searched for the missing hard drives but it was not found. Chesapeake Regional Healthcare already reported the hard drives as lost or stolen to the appropriate law enforcement. There’s no high expectation that the devices will ever be found again.

A problem with the lost hard drives is that they were not encrypted. If anyone finds the hard drives, the PHI of patients could be accessed. The information contained in the hard drive includes names, birth dates, unique patient identifiers, demographic information, procedures and tests performed at the Sleep Center and prescribed medications. There’s nothing to worry about losing addresses, Social Security numbers, financial data and insurance information because these information were not stored in the device.

Chesapeake Regional Healthcare is trying its best to make sure that there will be no similar breaches in the future. One important step is the review of policies and security procedures related to the PHI stored in portable electronic devices. Data encryption is a helpful technology but there are no instructions yet on how it will be used for data management.

Chesapeake Regional Healthcare is now sending breach notifications to its patients. The patients are also being offered 12 months of free credit card monitoring and identity theft protection services. In case of misuse of the breached information, patients will be given assistance to mitigate the harm.